Many infected servers become unresponsive, making it difficult to detect infections.
A new security threat related to a vulnerability in the PHP programming language that allows attackers to execute malicious code on web servers has been discovered on the network. Cybersecurity researchers report the rapid spread of this vulnerability and its use to install the TellYouThePass ransomware.
According to Censys, by June 13, about 1,000 servers infected with the TellYouThePass cryptographer were detected, which indicates a slight reduction compared to about 1,800 infected servers recorded on June 10. Most of them are located in China. Instead of the usual content, sites display a list of files whose extensions are supplemented with the characters". locked", which indicates encryption. The accompanying ransom note offers to get back access to the files for approximately $ 6,500.
The vulnerability, registered as CVE-2024-4577 and rated 9.8 out of 10, is caused by errors in converting Unicode to ASCII characters in PHP. A built-in Windows feature called Best Fit allows attackers to use argument injection techniques to pass malicious commands to the main PHP application. This vulnerability allows you to bypass CVE-2012-1823, a critical vulnerability that was fixed in PHP in 2012.
CVE-2024-4577 affects PHP only in CGI mode, when the web server processes HTTP requests and passes them to a PHP script. However, the vulnerability can also be exploited if PHP executables, such as php.exe and php-cgi.exe, are located in the directories available to the web server. This configuration is extremely rare, except for the XAMPP platform, where it is used by default. Another condition is to set the Windows locale to Chinese or Japanese.
The critical vulnerability was published on June 6 along with a security patch. Within 24 hours, the attackers started using it to install TellYouThePass. Imperva researchers reported that the malicious code uses a binary file mshta.exe to run an HTML application hosted on an attacker's server. The use of this binary file indicates an approach known as" living off the land", where attackers use built-in OS functions and tools to disguise their actions as legitimate activities.
Censys researchers note that the TellYouThePass distribution campaign began on June 7 and resembles other attacks in which attackers massively scan the Internet for vulnerable systems after finding a serious breach. Most of the infected servers are located in China, Taiwan, Hong Kong, and Japan, which is probably due to the fact that the vulnerability was confirmed only for systems configured in Chinese or Japanese.
Since then, the number of infected sites has ranged from 670 on June 8 to 1,800 on June 10. Censys researchers note that they are not completely sure about the reasons for the change in these figures.
"From our point of view, many compromised hosts remain online, but the port running PHP-CGI or XAMPP is no longer responding, which explains the decrease in the number of detected infections," they wrote. "It is also worth considering that no ransomware payments are currently registered to the only bitcoin address listed in the ransom notes. Based on these facts, our intuition suggests that this is probably the result of decommissioning these services or disabling them for other reasons."
The researchers also noted that about half of the hacked systems appear to have used XAMPP. However, this figure may be underestimated, since not all services explicitly indicate the software used.
"Given that XAMPP is vulnerable by default, we can assume that most infected systems use it," the researchers say.
Although XAMPP is the only confirmed affected platform, it is recommended that all PHP users on any Windows system install the update as soon as possible. Imperva's post contains IP addresses, file names, and their hashes, which administrators can use to determine if their systems have been attacked.
A new security threat related to a vulnerability in the PHP programming language that allows attackers to execute malicious code on web servers has been discovered on the network. Cybersecurity researchers report the rapid spread of this vulnerability and its use to install the TellYouThePass ransomware.
According to Censys, by June 13, about 1,000 servers infected with the TellYouThePass cryptographer were detected, which indicates a slight reduction compared to about 1,800 infected servers recorded on June 10. Most of them are located in China. Instead of the usual content, sites display a list of files whose extensions are supplemented with the characters". locked", which indicates encryption. The accompanying ransom note offers to get back access to the files for approximately $ 6,500.
The vulnerability, registered as CVE-2024-4577 and rated 9.8 out of 10, is caused by errors in converting Unicode to ASCII characters in PHP. A built-in Windows feature called Best Fit allows attackers to use argument injection techniques to pass malicious commands to the main PHP application. This vulnerability allows you to bypass CVE-2012-1823, a critical vulnerability that was fixed in PHP in 2012.
CVE-2024-4577 affects PHP only in CGI mode, when the web server processes HTTP requests and passes them to a PHP script. However, the vulnerability can also be exploited if PHP executables, such as php.exe and php-cgi.exe, are located in the directories available to the web server. This configuration is extremely rare, except for the XAMPP platform, where it is used by default. Another condition is to set the Windows locale to Chinese or Japanese.
The critical vulnerability was published on June 6 along with a security patch. Within 24 hours, the attackers started using it to install TellYouThePass. Imperva researchers reported that the malicious code uses a binary file mshta.exe to run an HTML application hosted on an attacker's server. The use of this binary file indicates an approach known as" living off the land", where attackers use built-in OS functions and tools to disguise their actions as legitimate activities.
Censys researchers note that the TellYouThePass distribution campaign began on June 7 and resembles other attacks in which attackers massively scan the Internet for vulnerable systems after finding a serious breach. Most of the infected servers are located in China, Taiwan, Hong Kong, and Japan, which is probably due to the fact that the vulnerability was confirmed only for systems configured in Chinese or Japanese.
Since then, the number of infected sites has ranged from 670 on June 8 to 1,800 on June 10. Censys researchers note that they are not completely sure about the reasons for the change in these figures.
"From our point of view, many compromised hosts remain online, but the port running PHP-CGI or XAMPP is no longer responding, which explains the decrease in the number of detected infections," they wrote. "It is also worth considering that no ransomware payments are currently registered to the only bitcoin address listed in the ransom notes. Based on these facts, our intuition suggests that this is probably the result of decommissioning these services or disabling them for other reasons."
The researchers also noted that about half of the hacked systems appear to have used XAMPP. However, this figure may be underestimated, since not all services explicitly indicate the software used.
"Given that XAMPP is vulnerable by default, we can assume that most infected systems use it," the researchers say.
Although XAMPP is the only confirmed affected platform, it is recommended that all PHP users on any Windows system install the update as soon as possible. Imperva's post contains IP addresses, file names, and their hashes, which administrators can use to determine if their systems have been attacked.
